Unauthorized Data Modification in miniOrange OTP Verification Plugin for WooCommerce
CVE-2025-14948

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Miniorange Otp Verification And Sms Notification For WooCommerce
Vendor: CVE Published:; 10 January 2026

What is CVE-2025-14948?

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress contains a vulnerability that allows unauthorized data modification. Due to a missing capability check on the enable_wc_sms_notification AJAX action, unauthenticated attackers are able to modify crucial settings, specifically enabling or disabling SMS notifications for WooCommerce orders. This security oversight impacts all versions of the plugin up to and including 4.3.8, posing a significant risk to the integrity of order notifications and overall e-commerce operations.

Affected Version(s)

miniOrange OTP Verification and SMS Notification for WooCommerce 0 <= 4.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/miniorange-sms...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Dec 19, 2025

Credit

Abdualrhman Muzamil

CVE-2025-14948 Data

JSON